[lug] TCP Wrapers and Going After Bad People

Greg Horne jeerygh at hotmail.com
Wed Sep 12 15:55:16 MDT 2001 

Thanks Walter!  Oh yeah, a correction to my last mail.  It's NTP not NCP.  
Heh.  Oh yeah!  Incase anybody was wondering about the TCP Wrapers in this 
mail's Subject it refers to the fact that everytime an unallowed IP tries to 
access one of my ports a TCP Wraper e-mails me.

Greg Horne


>From: Walter Pienciak <walter at frii.com>
>Reply-To: lug at lug.boulder.co.us
>To: <lug at lug.boulder.co.us>
>Subject: Re: [lug] TCP Wrapers and Going After Bad People
>Date: Wed, 12 Sep 2001 12:14:54 -0600 (MDT)
>
>On Wed, 12 Sep 2001, Greg Horne wrote:
>
> > Yo BLUG, yes. . . You CAN help Greg get the bad guys!
> >
> > So two people stand out in my logs as always trying to break into my
> > systems.  I get e-mails daily from the servers saying . . .Tried NS1, 
>tried
> > MMS1, tried Webserver 1, etc. . .
> >
> > My question is this:  Have any of you tried to track some of these 
>people
> > down?  Any sucess stories to tell?  If so, what were your methods?
> >
> > For good measure i'll include the *evil* offenders.
> >
> > attempt from APoitiers-103-1-1-165.abo.wanadoo.fr unknown 
>193.253.254.165
> > to in.ftpd at Wed Sep 12 05:30:51 PDT 2001
> >
> > attempt from HSE-QuebecCity-ppp3496564.sympatico.ca unknown 65.92.224.5 
>to
> > in.ftpd at Tue Sep 11 18:57:37 PDT 2001
> >
> > Thanks,
> >
> > Greg Horne
>
>Hi, Greg.
>
>1)  Many security people are going to yawn if you present occasional
>     attempts at FTP access as hacking that demands their attention.
>     I assume there's more:  i.e., attempts on many services, so that
>     the logs show a clear pattern of repeated attempts on ports they
>     have no business attempting to access.
>
>That said, you proceed by
>
>a)  Make DAMNED sure you have NTP running on your hosts.  These connection
>     attempts may be from dial-up/part-time connections, or hosts with
>     multiple users, and unless your log's timestamps can be correlated
>     EXACTLY to their ISP's records, you are out of luck.  So make sure
>     NTP is running and synchronizing correctly NOW, and don't waste
>     yuor time pursuing this until/unless they hit you again, at which 
>point
>     you'll have synchronized logs files.
>
>b)  Do your research as to the correct contacts within the offending
>     ISPs.  Look on their main website for security or abuse e-mail
>     aliases.  If that fails, look to their DNS SOA records for
>     a valid administrative alias within the domain.  They may deal with
>     your request, forward it on correctly or incorrectly, or ignore it.
>     Here's how you get an SOA record:
>
>     thunderdome [20]% nslookup
>     > set type=SOA
>     > sympatico.ca
>     Server:         216.17.128.1
>     Address:        216.17.128.1#53
>
>     sympatico.ca
>         origin = dns1.sympatico.ca
>         mail addr = dns-admin.sympatico.ca
>         serial = 400109041
>         refresh = 10800
>         retry = 3600
>         expire = 604800
>         minimum = 1200
>     > ^D
>
>     That line that reads 'mail addr = dns-admin.sympatico.ca' ?
>     Change the first . to an @:  dns-admin at sympatico.ca
>
>c)  Notify the ISP, and include relevant log data.
>
>d)  Don't expect a response, but move on.  Make sure your system
>     is as secure as you can make it, because responding to attempted
>     accesses is like playing Whack-a-Mole.
>
>Walter
>
>
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

More information about the LUG mailing list